News Flash: Your DNS might be broken, and you don’t even know it. But wait? How could I not know my DNS is broken? Well, the answer lies in the history of the DNS standards and what has become the cobbling together of features within authoritative and recursive DNS server software. It all started going south about 19 years ago with the introduction of Extension Mechanisms for DNS (EDNS(0)). The standards for EDNS(0) were solidified in 2013 in RFC 6891 but have been evolving ever since.
So what’s the big deal? What does EDNS(0) do for me? EDNS(0) allows DNS features like DNSSEC, Client Subnet and other “extensions” to be built into the DNS protocol. It also allows DNS to respond with records larger than 512 bytes. The problem facing the Internet has to do with the way in which some DNS servers respond to requests when asked if they support specific EDNS(0) features. The standard calls for those servers that DO NOT support the requested feature to simply ignore the request flag and return a normal DNS response. A broken DNS server will either not respond to the request at all or in the worst cases simply crash.
The result is obviously no DNS response to any requests from recursive servers. Most recursive servers see the first failed request containing EDNS(0) data time out and retry WITHOUT including the EDNS(0) information. This is a workaround and results in terribly slow DNS resolution – responses can take upwards 5-10 seconds depending upon timeout settings on the recursive resolver. The work around is not pretty and terrible for Internet performance. Recursive resolvers that employ these workarounds are also subject to exploitation, so there’s all the more incentive for recursive providers to tighten the code.
Enter the mighty power of a conglomerate (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/security-awareness/dns-flag-day-dns-doomsday/